BEAST Hack Threatens Security of Webmail, Online Shopping

Below:

Next story in Security

Two security researchers say they have found a way to break the
encryption used in one of the most common security protocols on
the Web, a protocol used by all sorts of sites, ranging from
banking to email.

Secure Sockets Layer, or SSL, is a protocol used to keep data
secure as moves between the user and the server he or she is
logged into.

It was invented by developers at Netscape in the 1990s, has been
upgraded many times since and is now often referred to by the
newer name Transport Layer Security, or TLS. TLS 1.0, implemented
in 1999, is the standard
security protocol for many thousands, if not millions, of
websites.

Researchers Thai Duong and Juliano Rizzo, who presented their
findings today (Sept. 23) at the Ekoparty security conference in
Buenos Aires, Argentina, said they can decrypt SSL and TLS
"cookies" — bits of text that identify users — and gain access to
restricted accounts.

Duong and Rizzo call the software Browser Exploit Against
SSL/TLS, or BEAST, and claim it can decrypt secure cookies in
minutes. That’s especially noteworthy because some websites — for
example, Google or Facebook — use cookies to keep you logged in
even after you browse away from their pages.

Moxie Marlinspike, co-founder of Whisper Systems, a company that
provides Android security software, said he hasn't seen BEAST and
as such can't say anything about that exploit specifically. But
Duong and Rizzo have said it is for TLS 1.0, rather than the
newer TLS 1.1.

TLS 1.1 is a more secure version of TLS that's been out since
2006, although right now only the Microsoft
Internet Explorer 9 and Opera Web browsers support it. (They
both also support TLS 1.2, introduced in 2008, while Apple
Safari, Google Chrome and Mozilla Firefox are stuck on TLS 1.0.)

Despite that, Marlinspike pointed out that Google will soon be
issuing a patch to Chrome that is only a few lines of code, and
yet defeats BEAST without upgrading to TLS 1.1.

Not many websites actually use TLS 1.1, said Marsh Ray, a
software developer at Phone Factor, a firm that provides security
protocols. (Upgrading the entire Web to support TLS 1.1 or 1.2
would be a massive undertaking.)

Ray said he spoke to Rizzo and Duong about their work and saw
many of the details. While he doesn’t see this exploit as
evidence that SSL/TLS is "broken," he thinks it's important that
vendors issue patches for their browsers.

Keeping it secret

The key thing about BEAST, Ray said, is that it implements a
previously theoretical method of decrypting SSL traffic.

When
encrypting data, SSL uses something called an "initialization
vector," which mixes randomly chosen data into the plaintext
before it is encrypted. That makes it more difficult for an
attacker to crack the code, because even if a user sends the same
data twice, the end result won't look the same.

Another feature of SSL is that it encrypts discrete data blocks
of fixed length — and each block after the first one uses a piece
of the previous block in the encrypted text. That prevents a
block from being cracked on its own.

BEAST gets around this with a variation on the
"man in the middle" attack. It inserts a piece of Java code
into a browser, and tricks the browser into making a request of a
server.

Since the attacker using BEAST knows what plaintext was sent, he
can use that to guess at the contents of an encrypted cookie. The
attacker then can deduce what the initialization vector is. This
makes decryption of the user’s data — and the associated session
token — much easier.

TLS 1.1 solves that problem by using a new initialization vector
for each block of text. But TLS 1.0 does not have that feature.

Greg Bard, an associate professor at the University of
Wisconsin-Stout, described a similar method of decrypting SSL
cookies in 2006, though his treatment was more theoretical.

"There’s a lot of information in the metadata," Bard said.

Bard's method also can reduce the amount of guessing that needs
to be done to retrieve the plaintext. Duong and Rizzo have simply
brought his theoretical work to life, though they have declared
that they arrived at their solution independently.

Methods of defanging

Ray said SSL/TLS is not insecure as a result of attacks such as
this one.

"A lot of things still have to go right [for the attacker]," Ray
said.

Patches can be issued by Safari and Firefox as well as Chrome,
for example. In the meantime, there are some things website
administrators can do to mitigate the problem.

One would involve changing the encryption protocol RC4, which has
been widely used as a stream cipher, or one that encrypts one
byte at a time rather than in discrete blocks. While RC4 has
vulnerabilities, they are different and more complicated to
exploit.

Neither Ray nor Marlinspike think SSL/TLS is going away, nor do
they think it is insecure.

"It's a fundamentally good protocol," Ray said, noting that most
attacks on SSL are not attacking the encryption itself but other
steps in the connection process.

Marlinspike said a bigger problem with SSL/TLS is the way the
system uses certificate authorities, little-known companies that
issue the "certificates" that websites use to prove their
identity to Web browsers.

Marlinspike suggested a certificate system in which browsers rely
on several authorities, rather than just one at a time, to verify
a website. The odds of more than one certificate authority being
compromised at a time are remote.

Bard said that as an alternative, many servers might move to
another protocol called identity-based encryption. In that
scheme, a message that is tampered with will simply never get to
the recipient.

"If someone begins to play with the [encryption] keys, the data
goes to the wrong place," Bard said.

SSL/TLS "was designed by people without much experience in
cryptography or security," Marlinspike said. “When it comes to
secrecy and integrity, they did some things wrong."

But the age and longevity of SSL/TLS are a testament to its
usefulness and durability, Marlinspike added.